I guess this would count as a meaningful CSP violation. (link rel=stylesheet in header, though haven't looked in to see if it works without also repetitively listing it in the response body content) I thought it might be a case of such, but didn't find documentation for anything other then prefetching in the header version. https://code.google.com/p/chromium/issues/detail?id=58456#c15 On 11/17/14, 4:50 PM, "Deian Stefan" <deian@cs.stanford.edu> wrote: >Brad Hill <hillbrad@fb.com> writes: > >> I wonder a bit how much this actually matters for the guarantees we're >>trying to make for CSP? >> >> If I prefetch something that is later denied to be included / >>transcluded into a page via CSP, have I violated the policy? >> >> Even if we decide to use CSP for confinement (which it presently makes >>no strong guarantees of) is link fetching that happens before the >>instantiation of a resource in the scope of that confinement? >> >> I think an example of an actual vulnerability that we would care about >>addressing would help me reason about this better. > >I think you're right, this is not technically a violation of the >policy. Even in the context of confinement. I think the issue is one >mistakenly assuming that the CSP applies to all fetching vs. it only >applying to all subsequent fetches. > >DeianReceived on Tuesday, 18 November 2014 01:49:44 UTC
This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:08 UTC